Awareness training not enough, says security researcher

Cyber security awareness training of employees does not go far enough to be effective, says McAfee research director

Cyber security awareness training for employees does not go far enough to be effective, according to David Marcus, director of advanced research and threat intelligence at McAfee.

He said businesses more commonly fail in systemic issues when it comes to IT security, chief among these being effective training for users.

Although adversaries use many different attack methods, there is a lot of commonality around the social engineering techniques they use, and there is a lot of value in tackling that,” he said.

But pure awareness training is not as effective as scenario-based training, he told Computer Weekly.

Marcus believes employees need to face simulated hacking attempts to learn how to recognise them properly and take appropriate action.

More on social engineering

  • Block Windows Help files to help prevent social engineering attacks
  • Combat social engineering attacks with these mantras
  • Social engineering, employee gaffes require full attention, says expert
  • Social engineering penetration testing: Four effective techniques
  • Using social engineering testing to foster anti-social engineering training
  • Black Hat 2012: Luminaries worried about social engineering techniques
  • Black Hat 2012: Phishing and social engineering penetration testing
  • Black Hat 2012: Social engineering training benefits IT teams, end users

“Only by getting into the boxing ring will anyone learn how to block blows from an opponent,” he said.

The military would not send soldiers into an operational area without practical training, said Marcus, yet enterprises routinely put employees in a position where they will get attacked without any training.

“Information security professionals who fail to provide behavioural training are doing a disservice to the company, its employees and its shareholders,” he said.

While not all companies have the resources to devise such training programmes, Marcus said there is a growing number of providers of this type of training, such as PhishMe  and TrustedSec.

“But this is a long-term process that information security practitioners need to undertake if they really want to protect their organisation's data assets and people,” he said.

Read more on Security policy and user awareness